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Abstract: Mobile communications are used by more 
than two thirds of the world population who expect 
security and privacy guarantees. The 3rd Generation 
Partnership Project (3GPP) responsible for the world¬ 
wide standardization of mobile communication has de¬ 
signed and mandated the use of the AKA protocol to 
protect the subscribers’ mobile services. Even though 
privacy was a requirement, numerous subscriber lo¬ 
cation attacks have been demonstrated against AKA, 
some of which have been fixed or mitigated in the 
enhanced AKA protocol designed for 5G. 

In this paper, we reveal a new privacy attack against all 
variants of the AKA protocol, including 5G AKA, that 
breaches subscriber privacy more severely than known 
location privacy attacks do. Our attack exploits a new 
logical vulnerability we uncovered that would require 
dedicated fixes. We demonstrate the practical feasibility 
of our attack using low cost and widely available setups. 
Finally we conduct a security analysis of the vulnerabil¬ 
ity and discuss countermeasures to remedy our attack. 


1 Introduction 

As of 2018, around 5 billion mobile subscribers 
equipped with Universal Subscriber Identity Module 
cards (USIM) are accessing cellular network services 
( e.g., Internet, calls), mostly relying on 3G or 4G tech¬ 
nologies [1] (e.g., ca. 75% of connections in Europe and 
North America). With growing importance of cellular 
network services in our daily activities, there is a cru¬ 
cial need to provide security and privacy protection to 
mobile subscribers. 
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The 3rd Generation Partnership Project (3GPP) 
group, responsible for the standardization of 3G, 4G, 
and 5G technologies, designed the Authentication and 
Key Agreement (AKA) protocol that aims at mutually 
authenticating a phone equipped with a USIM card with 
networks, and establishing keys to protect subsequent 
communications. This protocol is notably implemented 
in all 3G and 4G USIM cards and cellular networks 
worldwide. For 5G, the 3GPP has standardized 5G 
AKA , an enhanced version of AKA [2]. In addition, 
AKA is also used in Extensible Authentication Protocol 
(EAP) mechanisms (e.g., EAP-AKA, EPS-AKA, EPS- 
AKA’) to secure point-to-point protocol authentication 
methods, wireless LAN internetworking, and generic au¬ 
thentication architectures including generic solutions for 
securing HTTP based services [3, 4]. In a nutshell, AKA 
is a challenge-response protocol mainly based on sym¬ 
metric cryptography and a sequence number (SQN) to 
verify freshness of challenges, preventing replay attacks. 

While privacy was an explicit requirement for 3G 
and 4G [5, 6], numerous fake base station attacks have 
been shown to compromise subscriber privacy in these 
networks [7-15]. The fake base station attacks typically 
exploit weaknesses in the AKA protocol such as the 
non-protected identity request mechanism (e.g., with 
IMSI-catchers [9-15]) and the privacy-leak resulting 
from authentication failure messages [7, 8]. In prac¬ 
tice, those attacks break subscriber location privacy : 
an attacker can identify if certain subscribers are in 
the range of attacker’s fake base stations. For 5G, the 
3GPP has improved AKA in order to mitigate these 
well-known privacy issues [2]. The 5G AKA protocol 
notably introduces randomized asymmetric encryption 
for protecting identifiers sent prior to authentication. 

Contributions. In this paper, we reveal a new pri¬ 
vacy attack against all variants of the AKA protocol 
(including 5G AKA and EAP variants) that breaches 
subscribers’ privacy more severely than known location 
privacy attacks do. Our attack exploits a new logical 
vulnerability we uncovered in the protocol specification 
that would require dedicated fixes. More precisely, we 
make the following contributions: 

1. New logical vulnerability and privacy at¬ 
tacks on AKA. We found a new logical vulnerability 
in the specifications of all aforementioned variants of 
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AKA: the protection mechanism of the SQN can be 
defeated under specific replay attacks due to its use 
of Exclusive-OR (XOR) and a lack of randomness. We 
show how to leverage this vulnerability to break the con¬ 
fidentiality of SQN, thus defeating the purpose of a ded¬ 
icated protection mechanism and breaking an explicit 
privacy requirement [6]. We show that partly learning 
SQN leads to a new class of privacy attacks ( i.e., activ¬ 
ity monitoring attacks ): an active attacker can leverage 
fake base stations and our attack to learn information 
about targeted subscribers’ mobile service consump¬ 
tion, even when subscribers move away from the attack 
area ( e.g., range of a fake base station). This is in stark 
contrast to location attacks that do not reveal service 
consumption and requires the targeted subscribers to 
stay in attack areas. Less importantly, we show that our 
logical vulnerability also yields a new location attack. 

2. Low-cost proof of concept. We demonstrate 
the feasibility of our attack using widely available and 
low-cost setup on commercial 4G networks in several 
European countries. Our attack affects all 3G and 4G 
devices currently deployed all over the world and future 
5G devices (according to the specification [2]). 

3. Security analysis and countermeasures. 
We discuss the weaknesses of the AKA protocol, its 
deployment, design trade-offs, and the overall cellular 
architecture that have made possible our attack in order 
to draw lessons for the future generation networks. We 
propose countermeasures to our attack and establish 
formal security guarantees using the state-of-the-art 
tool Tamarin [16]. 

Impact. Unlike the previously known location privacy 
attacks [7-15], we disclose a new type of privacy attack 
enabling subscriber activity monitoring. We now discuss 
subsequent impacts of our attack. First, an attacker can 
learn 3G, 4G, and 5G subscribers’ typical activity pat¬ 
terns {e.g., number of calls, SMSs sent in a given time). 
We stress that those activity patterns can be monitored 
remotely for a long time even if, most of the time, sub¬ 
scribers move away from the attack areas. We followed 
the responsible disclosure procedure and reported our 
findings to the 3GPP, GSM Association (GSMA), sev¬ 
eral manufacturers (Ericsson, Nokia, and Huawei), and 
carriers (Deutsche Telekom and Vodafone UK). Our 
findings were acknowledged by the 3GPP and GSMA 
and remedial actions are underway to improve the pro¬ 
tocol for next generations. Finally, while 5G AKA will 
suffer from our attack in the first deployment of 5G (i.e., 
Release 15 [2], phase 1), we are still hopeful that 5G 


AKA could be fixed before the deployment of the second 
phase (Release 16, to be completed by the end of 2019). 

Outline. In section 2, we explain the general cellular se¬ 
curity architecture and the core protocol underlying all 
AKA protocol variants. Section 3 presents our new log¬ 
ical vulnerability breaking the confidentiality of SQN. 
In Section 4, we show how the latter can be exploited 
to mount activity monitoring and location attacks and 
discuss practical impact. In Section 5, we show feasi¬ 
bility of our attacks in real 4G networks. We conduct 
a security analysis in Section 6 and provide potential 
countermeasures in Section 7. We conclude in Section 8. 


2 Background 

We first give an high-level overview of the security ar¬ 
chitecture used in 3G, 4G and 5G networks and explain 
how mobile subscribers are authenticated to the network 
using the AKA protocol. We then describe the different 
privacy requirements of 3G, 4G, and 5G networks out¬ 
lined in the 3GPP specification. We conclude with a 
discussion on threat models, previously known attacks 
against the AKA protocol, formerly proposed fixes, and 
a comparison with our attack. 

2.1 Security Architecture and the AKA 
Protocol 

We describe a simplified view of the security architec¬ 
ture deployed in cellular networks and focus on the parts 
that are necessary to understand our attack. We also 
slightly simplify our description of the AKA protocol 
for the sake of clarity and only focus on the core proto¬ 
col which is common to all the AKA protocol variants. 
Further, we adopt a simplified terminology since the offi¬ 
cial terminology heavily depends on the generation. We 
refer the knowledgeable reader to Appendix A where an 
informal correspondence with standardized terminolo¬ 
gies for the different generations is given. 

2.1.1 Architecture 

The cellular network architecture mainly consist of three 
components. First, User Equipments (UEs ) are carried 
by subscribers (we shall use both terms alternatively) 
and are typically smartphones or IoT devices containing 
a USIM card. Second, Home Networks (HNs ) contain a 
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User Equipment - UE Serving Network - SN Home Network - HN 



Fig. 1. The AKA protocol. K denotes K/msi- 


database of their subscribers’ and their corresponding 
USIM cards and are in charge of their authentication. 
However, it is often the case that UEs are in locations 
where their corresponding HN has no base station ( i.e 
antennas that may connect UEs to the network). There¬ 
fore, the architecture also considers a third entity: the 
Serving Networks (SN) to which UEs may attach to and 
that play the role of relays to HNs. 

Each UE contains a USIM having cryptographic ca¬ 
pabilities ( e.g symmetric encryption, MAC) which no¬ 
tably stores: 


- an unique and permanent subscriber identity, called 
International Mobile Subscriber Identity (IMSI), 

- a unique, permanent secret symmetric key that we 
indicate as Kjmsi (used as a share secret between a 
UE and its corresponding HN), 

- and a 48-bits counter, called Sequence Number that 
we denote as SQN (used as a replay protection, as 
explained later in this section). 

The HN associated to some USIM card stores the same 
information in its database. When the context is clear, 
we use K to refer to Kjmsi- 
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2.1.2 The AKA Protocol 

When a UE attaches to a SN (or when UE requests 
access to a service such as sending a SMS or making 
a call), it needs to establish a secure channel with the 
SN (ensuring confidentiality of the user data) after au¬ 
thenticating itself to its corresponding HN (mainly for 
billing purpose) and authenticating its HN (so that fake 
SN cannot establish such a channel and break confiden¬ 
tiality). To do so, 3GPP has standardized the AKA pro¬ 
tocol (the only authentication method allowed for 3G, 
4G and 5G for 3GPP access). While this protocol has 
evolved with each generation [2, 6, 17], its core specifi¬ 
cation remained the same. We shall only focus on this 
core protocol that already suffers from our attack. 

The AKA protocol achieves mutual authentication 
and key exchange between an UE and its correspond¬ 
ing HN, relying on some SN that is known by the HN. 
It allows some UE and SN to establish session keys to 
be used to secure subsequent communications ( e.g., in¬ 
tegrity and confidentiality of calls or SMSs). As men¬ 
tioned before, the key Kimsi is used as a long-term 
shared secret, and SQN is used as a replay protection 
for the UE. While SQN is expected to be synchronized 
between the UE and HN, it may become out-of-sync. 
We thus use SQN UE (resp. SQN hn ) to refer to the SQN 
value stored in the UE (resp. HN). The AKA protocol 
is made up of 3 main phases: identification, challenge- 
response, and re-synchronization procedure (that is op¬ 
tional and aims at updating SQN on the HN side in case 
SQN is out of-sync). The whole protocol flow is depicted 
in Figure 1. 

Identification. First, the SN identifies the UE. If the 
current UE’s identity is unknown to the SN, it may 
ask for the permanent identity IMSI (or an encryption 
thereof in 5G) by sending an Identity Request message. 
The UE then gives its identity in an Identity Response 
message. This identity enables the SN to request au¬ 
thentication material to the appropriate HN in the next 
phase. In 5G, UE never reveals its permanent identity 
in plaintext. It rather sends a randomized encryption of 
it, protected with the HN’ s public key, along with the 
HN’ s identity (forming the so-called SUCI [2]). 

Challenge-response. Upon reception of a request for 
authentication material from a SN, the HN computes 
an authentication challenge made of a random nonce 
R and some message AUTN. In addition, the expected 
authentication response xRES = f2 (R, Kimsi), the en¬ 
cryption key CK, and the integrity key IK are also 
computed by HN (but not sent by SN to UE). Note 


that, in 5G, the message xRES has a slightly different 
form; this has no impact on our attack. The functions 
fl — fS, used to compute the authentication parameters, 
are one-way keyed cryptographic functions completely 
unrelated, and ffi denotes the eXclusive-OR (XOR) op¬ 
erator. 

AUTN contains a MAC (Message Authentication 
Code) of the concatenation of R with the correspond¬ 
ing sequence number SQN hn stored for this subscriber. 
A new sequence number is generated by increment of 
the counter. The sequence number SQN hn allows the 
UE to verify the freshness of the authentication request 
to defend against replay attacks and the MAC proves 
authenticity of the challenge. 

The UE replies with an Authentication Response 
message when the authentication is successful, or Au¬ 
thentication Failure message with the cause of failure 
otherwise. To check whether authentication is successful 
or not, the UE extracts SQN hn from AUTN and checks 
that: (i) MAC is a correct MAC value w.r.t. Kimsi, 
replies Mac_failure if it is not the case; (ii) the au¬ 
thentication request is fresh (i.e. xSQN hn > SQN UE and 
xSQN hn < SQN UE + A), replies Sync_f ailure, AUTS 
otherwise ( AUTS is explained next). The quantity A 
is a threshold that is fixed according to an availabil¬ 
ity vs. security trade-off. If all checks hold then the UE 
computes the ciphering key CK and the integrity key IK 
and stores them to secure subsequent messages. It also 
computes the authentication response RES and sends it 
to the SN using Authentication Response message. Only 
RES is included in the message, other computed values 
like CK and IK are not transmitted. The SN authenti¬ 
cates the UE by verifying whether the received response 
matches with xRES . If so, the AKA protocol is success¬ 
fully completed and subsequent communications can be 
secured using the secret keys IK and CK. 

Re-synchronization procedure. In case of a syn¬ 
chronization failure (case (i) and -.(ii)), the UE 
replies with Sync_failure, AUTS. The AUTS mes¬ 
sage’s purpose is to allow the HN to re-synchronize 
with the UE by replacing its own SQN hn by the se¬ 
quence number of the UE (i.e., SQN UE + 1). However, 
SQN ue is not transmitted in clear text to avoid be¬ 
ing eavesdropped on. Thus, the specification requires 
SQN to be concealed; i.e., XORed with a value, called 
Anonymity Key, that should remain private: AK* = 
f5 * (RAND, Kimsi)- Formally, the concealed value is 
as follows: CONC* = SQN UE © AK* and allows the 
HN to extract SQN UE by computing AK* . Note that 
f5* and fl* are independent one-way keyed crypto- 
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graphic functions completely unrelated to functions 
f 1 — f5. Finally, A UTS = CONC *, MAC* where MAC* = 
II* (Kjmsii {xSQN hn , xRAND. AMF)) allowing the 
HN to authenticate this message as coming from the 
intended UE. 

2.2 Privacy Requirements 

The 3G and 4G specifications consider user identity 
and location confidentiality, and user untraceability as 
explicit privacy requirements [6, 17]. Privacy was even 
more of a critical security goal in the design of 5G, as 
acknowledged by the standard: 

[18] : “Subscription privacy deals with various aspects 
related to the protection of subscribers ’ personal infor¬ 
mation, e.g., identifiers, location, data, etc. [...] The 
subscription privacy is very important area for Next 
Generation system as can be seen by the growing atten¬ 
tion towards it, both inside and outside [3GPP].” 

We also emphasize that, SQN is considered to be 
privacy-sensitive, and must be protected (i.e., remain 
confidential) by the AKA protocol: 

[6]: “]AK*] is an anonymity key used to conceal the 
sequence number as the latter may expose the identity 
and location of the user. ” 

More recently, a 3GPP study on privacy explains that: 

[19] : “[AKA] is an example of how to fulfill anonymity: 
[...] Anonymizing technique used: use Anonymity Key in 
the Authentication Token to conceal (blind) the sequence 
number. ” 

As we shall see, our attack defeats the purpose of 
the anonymity AK*. 

2.2.1 Threat Model 

While designing the AKA protocol in the year 2000, 
fake base stations were considered expensive in terms of 
required financial resources and attacker’s capabilities. 
However, such fake base stations can now be easily built 
using e.g., widely available hardware [20] or even WiFi 
technology [21]. Therefore, in our security analysis, we 
consider both passive and active attacker models for 3G, 
4G, and 5G networks. 

Passive. The passive adversary can sniff over-the-air 
radio broadcast channels using a dedicated hardware 
and software (as described in Section 5). Note that, he 
does not need to know any key material used in the 
authentication procedure. 


Active. In addition, the active adversary has the capa¬ 
bility to setup and operate a rogue base station to inject 
malicious traffic towards UEs. To achieve this, we as¬ 
sume he knows the protocol specification. However, we 
do not assume he knows any cryptographic keys. 

2.3 Related Work on AKA and Known 
Flaws 

There are numerous known attacks against the AKA 
protocol that were often described for older generation 
cellular networks but are still inherited in 4G networks 
due to the support of legacy system and re-use of the 
same core protocol from AKA. 

Identity Requests and IMSI-catchers. The first 
kind of attacks relies on the unprotected identity re¬ 
quest mechanism that is broadcast over-the-air and is 
often termed as IMSI-catchers. 

In a nutshell, an active attacker can easily broadcast 
an identity request to all the UEs in the area. Conse¬ 
quently, the UEs will reply with their permanent identi¬ 
ties - this flaw is commonly exploited in IMSI catcher at¬ 
tacks [9-12] to track subscribers in certain geographical 
areas. Even though UEs may use temporary identities, 
a passive attacker can find co-relation between them 
and social identities [9] (including Facebook, Twitter, 
or phone number). 

Several studies cover research on how to secure 
unprotected messages carrying identity requests by ad¬ 
ditional cryptographic mechanisms [7, 22, 23]. More 
importantly, in order to comply with the new stronger 
privacy protection requirement in 5G, 3GPP has modi¬ 
fied the identity request phase of the AKA protocol. As 
mentioned earlier, the UE sends its permanent identity 
protected by a randomized, asymmetric encryption us¬ 
ing the HN ’s public key, in such a way that the SNs 
or fake base stations only learn the underlying HN. 
Therefore, the aforementioned IMSI catchers attacks 
will be defeated in 5G. 

However, note that, even after fixing these vulner¬ 
able messages (including the fix in 5G phase 1 [2]), our 
attack re-introduces new subscriber privacy risks since 
it does not rely on this identification phase. 

Linkability of failure messages. A few other at¬ 
tacks [7, 8] exploit the fact that the AKA proto¬ 
col exposes to the attacker the reason of the failure 
when an authentication is rejected by a UE: either 
Mac_Failure or Sync_Failure. This allows to track a 
targeted UE: it suffices to replay an old authentication 
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(a) When the UE is in the attack area, it was known that it may (b) A UE was supposed to be safe when outside of attack areas, 
be subject to tracking, location attack, and monitoring attacks. This is no longer the case due to our attack. 


Fig. 2. Privacy threats depend on the UE 's location depicted with a dot. Attacker’s fake base station (resp. genuine base station) is 
depicted with a cross (resp. box). Independent of the UE 's location, the UE 's activities have an effect on SQN stored at the HN. 


challenge that UE has already received and then ob¬ 
serve whether the reply is Mac_Failure (not the tar¬ 
geted UE) or Sync_Failure (only replied by the tar¬ 
geted UE). Again, our attack does not rely on distin¬ 
guishing between the two sources of failure and cannot 
be prevented by fixing this issue alone ( e.g., by merging 
the two sources of failure into a single message). 

2.4 Comparisons Between Existing 
Attacks and our Attack 

First, as explained in Section 2.3, our attack relies on 
a different logical vulnerability that is completely or¬ 
thogonal to the attack vectors of prior, known attacks 
(i.e., unprotected identities and linkability of failure 
messages). Therefore, our attack would require differ¬ 
ent and dedicated fixes. 

Second, our attack poses a new kind of threat on 
privacy as it allows an attacker to learn subscribers’ 
mobile services consumption patterns. In contrast, prior 
privacy attacks only leak the presence of targeted UEs 
in attack areas. 

Third, our attack can break subscribers’ privacy 
even when they escape attack areas. Indeed, remind that 
we consider a threat model for which attackers may ex¬ 
ploit a limited number of fake base stations deployed at 
specific locations; typically busy crossing points (e.g., 
subway or train stations, airports), targeted offices (e.g., 
nearby embassies), or, places visited on a regular basis 
by targeted UEs (e.g., shops). With prior attacks, there 
were two very different situations (depicted in Figure 2): 
- if the targeted UE is outside the range of attacker’s 
base stations (e.g., at home), then the UE is com¬ 


pletely safe: no fake base station-based attacks could 
break the subscriber’s privacy (situation shown in 
Figure 2b); 

- otherwise, the subscriber may be subject to location 
attacks or monitoring attacks (i.e., attacker may 
eavesdrop on communication between UE and SN C 
to learn when UE consumes services) (situation de¬ 
picted in Figure 2a). 

Therefore, even though the UEs may be attacked when 
in the range of attacker’s fake base stations, as soon as 
they escape such (a priori narrow) areas, they were safe. 

This is unfortunately no longer the case as our at¬ 
tack introduces a totally new threat on privacy. Indeed, 
even when UEs are using mobile services outside the 
attack area, part of this activity may be leaked to some 
adversary using our attack the next time the UE enters 
again the attack area. Intuitively, this is because, inde¬ 
pendently of its location, the UE’s activity has an effect 
on the counter SQN stored in the HN that will be leaked 
when the UE is (actively) under attack (we extensively 
discuss impacts on privacy in Section 4). We call this 
new kind of threat activity monitoring attacks. Hence, 
areas outside fake base stations range are no longer safe. 

3 Logical Attack 

In this section, we reveal the main attack vector based 
on a new logical vulnerability (Section 3.1) that can be 
exploited to mount an attack breaking the confidential¬ 
ity of SQN (Section 3.2). 
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3.1 Logical Vulnerability 

Our attack vector exploits a lack of randomness and 
the use of XOR in AUTS, more precisely in the con¬ 
cealed sequence number CONC* = SQN UE ®AK* where 
AK* = f5 * (R, Kimsi )• The value R is extracted from 
the challenge R,AUTN received by the UE. There¬ 
fore, if the UE receives two times the same challenge 
R,AUTN and yield two synchronization failures, then 
the two concealed SQNs will be of the form: CONCl = 
SQN\j E © AKl and CONCl = SQN 2 UE © A K* 2 such that 

AK{=f5*(R, Kjmsi) = AK* 2 . 

Therefore, an attacker having a genuine challenge 
R,AUTN for some UE can transmit it to the UE at 
two different times t\ and V retrieve values CONC\ 
and CONC%, and compute: 

CON C{ © CON Cl = ( SQN\j E © AKl)® 
(SQN 2 ue © AKl ) 

= SQN x ue © SQN 2 ue 

where SQN ue is the value SQN UE at time V We show 
in the next section that by cleverly choosing several 
timestamps Vs, the attacker is able to exploit values 
such as SQN l UE © SQN 3 UE to break the confidentiality 
of SQN. 

3.2 Breaking the Confidentiality of SQN 

We show how an active attacker who knows any UE’s 
identity (temporary, permanent, or encrypted) is then 
able to learn the n least significant bits of SQN hn , 
stored in the HN. The attacker first fetches 2 n + 2 suc¬ 
cessive, fresh, authentication challenges intended for the 
targeted UE and replays a total of 2(n+2) of them to the 
UE. The interaction is depicted in Figure 3. The attack 
ends with an offline computation using algo(-) which 
takes fetched AUTS messages as inputs and returns the 
n least significant bits of the sequence number SQN hn . 

In a nutshell, the attack consists in choosing appro¬ 
priate injections and timestamps ti such that the at¬ 
tacker can retrieve values = SQN hn © ( SQN hn + 2*) 
for 1 < i < n (see Section 3.2.1). We then explain (Sec¬ 
tion 3.2.2) how one can infer from the <Vs the n least 
significant bits of SQN hn . Finally, we also show that, 
under certain circumstances ( i.e when the UE is per¬ 
forming a lot of authentication sessions when in the at¬ 
tack area), a far less costly variant of the attack (only 
n + 2 injections) achieves the same goal (Section 3.2.3). 


We describe the attack and our inference algorithm 
when the HN increments SQN hn by 1 after each suc¬ 
cessful authentications as described in Section 2. Our 
attack works for any such increment; the interaction 
is always the same and we designed a generic algo(-) 
parametrized by the increment used by the opera¬ 
tor. However, for the sake of clarity, we only describe 
here our attack and our generic algorithm for an in¬ 
crement equal to 1. We describe the full algorithm in 
Appendix B. Note that the full algorithm might actu¬ 
ally infer more than n bits for some inputs; we report 
on practical results of this algorithm in Section 5. 

3.2.1 Fetching Data 

In a first phase (loop for i = 0 to 2™ from Fig¬ 
ure 3), the attacker needs to fetch consecutive challenges 
Ri, AUTNi intended for the targeted UE. This is made 
possible by the fact that, in the AKA protocol, UE re¬ 
ceives such challenges prior to authentication but after 
identification. Therefore, an attacker only needs to know 
one valid identity of the targeted UE ( e.g., IMSI, tempo¬ 
rary identifiers such as TMSI, or encrypted permanent 
identities such as SUCI) in order to (partly) imperson¬ 
ate the UE to the SN (and the corresponding HN) and 
get those challenges. We will explain in Section 5 how 
this can be easily done in practice. Note that because 
SQN hn is incremented by 1 after the computation of 
every challenge, Ri, AUTNi is computed based on some 
SQN value (that we denote by SQN hn ( AUTNi)) equals 
to SQN° hn + i. 

Immediately after the first phase, the attacker in¬ 
jects the first challenge he obtained: Rq, AUTNq. From 
the UE’s perspective, this is a genuine challenge (the 
MAC verification (i) succeeds) that has never be re¬ 
ceived before and that is based on a recent enough 
SQN hn (AUTNq) = SQN° hn (the freshness verification 
(ii) succeeds). At this time (before the second loop), 
SQN ue equals SQN° hn + 1. Then, the attacker injects 
again the challenge Rq, AUTNq yielding a synchroniza¬ 
tion failure containing some AUTS' = (c , MAC*) mes¬ 
sage where the conceal SQN equals: 

c = ( SQN° hn + 1) © f5*(i?. 0 , Kimsi)- 

In the last phase (loop for j = 0 to n from Figure 3), 
the attacker injects R 2 j , AUTN 2 j that is accepted by 
the UE, in order to make the UE updates its SQN UE 
to the value 

SQNue := SQN HN (AUTN 2 j ) + 1 = SQN^ EE + 2 3 + 1 . 



New Privacy Threat on 3G, 4G and Upcoming 5G AKA Protocols 


8 


Data: Si = (2* + X) © X for 0 < i < n (in 
little-endian), n < 48 

Result: Res: n least significant bits of X (in 
little-endian) 

Res •*- [0, 0, 0] //size n 

for i from 0 to n - 1 do 

//Let's analyze <5; at bit positions i, i + 1 

(bi, b 2 )«- (<5j[i], 5j[i+ 1]) 

if (bi, b 2 ) == (1, 0) then 

//no remainder propagate when +2 l to X 

Res[i] *- 0 

elif (fci, b 2 ) == (1, 1) then 

//a remainder propagates when +2 Z to X 

Res[i] <- 1 

else //cannot happen 

j Error 

end 

return (Res) 

Algorithm 1: SQN Inference Algorithm 

After each such injection, the attacker then injects again 
the challenge Ro, AUTNq provoking a synchronization 
failure containing some AUTSj = (c* , MAC*) where: 

Cj = (SQN° hn + 2 J + 1) © f5 (Ro, Kimsi)■ 

3.2.2 Inference Algorithm 

We now describe algo(-) that takes the n + 2 fetched 
AUTS’s messages (i.e., d,Cj for 0 < j < n) as inputs 
and outputs the n least significant bits of 1 + SQN° hn . 
Recall that d = (1 + SQN ° hn ) © f5* (i?o, Kimsi ) and c-j = 
(1 + SQN° hn + 2 J ) © f5* (Rq, Kjmsi)- Therefore, for any 
0 < j < n, it holds that: 

c © c j = (1 + SQldjjpj) © (2 J + 1 + ■ 

We note S- t the quantity c © Cj. One has that 5i = 
(2* + X ) © X for all 0 < i < n where X = 1 + SQN° hn 
is the quantity we seek to infer the n least significant 
bits of. In a nutshell, the idea of the algorithm consists 
in analyzing how remainders propagate in (2 l +X) at bit 
position i and i + 1 (in little-endian notation) by look¬ 
ing at Si . Considering X and Si as arrays of 48 bits in 
little-endian, we describe the algorithm in Algorithm 1 
that, given the Si’s, infers n bits of X. Note that this 
algorithm can be executed completely offline on the col¬ 
lected data. 


3.2.3 Improving the Attack Under Stronger Threat 
Model 

When the targeted UE stays a long time in the attack 
area or intensely consumes mobile services (triggering 
a lot of AKA authentication sessions), the attacker has 
a simpler way to break the confidentiality of SQN. This 
kind of scenarios are realistic when the attack areas are 
e.g., offices where targeted UEs stay most of the day 
but expect to be safe when being outside attack areas 
(e.g., at home). 

Essentially, instead of fetching the challenges 
Ri,AUTNi and injecting the challenges that are 
accepted by the UE (i.e., Rq,AUTNq and then 
R 2 i, AUTN 2 j for 0 < j < n), the attacker can let the 
UE attaches to any genuine SN and let it receives chal¬ 
lenges and completes the AKA sessions. The attacker 
just passively eavesdrop on the exchanged messages, 
notably the challenges, and counts the number of suc¬ 
cessful authentications. However, the attacker still needs 
to (actively) replay the challenge Ro, AUTNo at appro¬ 
priate times; more precisely, after the UE received the 
genuine challenge (Rq, AUTNo) and then challenges 
(R 2 j, AUTN 2 j) for 0 < j < n. This variant is far less 
costly: it only requires passive attacking capabilities 
and n + 2 additional (active) injections. 

3.2.4 Variants for Other SQN Policies 

According to non-normative parts of the specifica¬ 
tion [6]), SQN and its update policy can take different 
forms. We briefly explain how our attack can be easily 
adapted for those variants. We refer to Appendix C for 
more details. 

SQN can be composed of two components SQN = 
SEQ\\IND where SEQ is a 43 bits long integer that 
counts all past AKA sessions and IND is a 5 bits long 
index that describes the SN for which the given SEQ is 
valid. When such a policy is in use, one can use a slightly 
different variant of our attack: (i) injections of authen¬ 
tication challenges should be done while using the same 
SN identifier towards the UE and the same SN while 
fetching authentication tokens, and (ii) the algorithm 
used to infer bits should drop the 5 bits of SQN corre¬ 
sponding to IND. This allows the attacker to break the 
counter part of SQN, namely SEQ; leading to the same 
privacy attacks explained in the next section. 
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User Equipment - UE Attacker Network (SN + HN) 



Fig. 3. Sequence Number Inference Attack (where SQ!\P HN is the initial SQN for IMSI stored in the HN and [X] n denotes the n least 
significant bits of X). 


4 Attacks on Privacy 

We now explain how one can leverage the attack pre¬ 
sented in Section 3 to break subscribers’ privacy by 
conducting an activity monitoring attack. As explained 
in Section 2.4, this new class of attacks allows an at¬ 
tacker to monitor targeted subscribers’ activity, even 
for periods where subscribers escape the attack area (see 
Figure 2b). 

In a nutshell, the attacker needs to conduct the 
previously described attack when targeted subscribers 
are in the attack area, thereby learning n significant 
bits of SQN at different times ti,t 2 , We explain in 
Section 4.1 how the attacker can then relate this in¬ 
formation to the number of AKA sessions subscribers 
have made between times ti,t 2 , ■ ■ •• Next, we show how 
the attacker can relate the number of AKA sessions 
some UE has performed in a given period of time to its 
typical service consumption during that period. 

Therefore, the attacker learns the typical service 
consumption of targeted subscribers between times 
ti,t 2 , ■ ■ ■ even if such subscribers escape the attack area 
most of the time ( i.e in between times U). Please re¬ 
fer to Section 5 for practical aspects of the attack ( e.g 
number of bits of SQN that can be inferred). We il¬ 


lustrate this new threat by giving some illustrations of 
practical attack scenarios (Section 4.2). We conclude in 
Section 4.3 with a variant of our attack that could yield 
location attacks in a variant of AKA that fix previously 
known privacy attacks which is notably relevant in the 
context of the in-progress standardization of 5G AKA, 
phase 2. 

4.1 Relating SQN Increases to Activity 
Patterns 

We first need to learn the value that is added to SQN af¬ 
ter each successful authentication. The conclusion of our 
practical investigations (see Section 5) is that this value 
is 1 for all tested operators. This value is needed because 
equal differences of SQN could be resulted by different 
operations: if the victim SQN had been increased by 20, 
it could be the result of either 4 increases of 5 (4 au¬ 
thentications) or 2 increases of 10 (2 authentications). 
We found how much SQN is increasing upon authen¬ 
tication for several operators by running the algorithm 
algo() for several values of the increment and keeping 
the value yielding no Error (see Algorithm 1). We stress 
that this has to be done just once for or a given operator. 








New Privacy Threat on 3G, 4G and Upcoming 5G AKA Protocols 


10 


Next, in order to relate information about the num¬ 
ber of AKA sessions of a victim with the victim’s ac¬ 
tivity, we have to exploit the fixed authentication poli¬ 
cies discussed in Section 5.2 {i.e., which user’s activ¬ 
ities trigger an authentication and thus an AKA ses¬ 
sion). Because of the different operator configurations, 
authentication may or may not happen on each SN net¬ 
work attach, call or reception/sending of SMSs. As a 
result, we also analyzed how frequently authentication 
is performed by analyzing signaling messages during re¬ 
peated attach procedure (by calling or sending SMSs). 
We found that there are little variations in authentica¬ 
tion frequency among operators but for most of them, 
an authentication was required for each outgoing call 
and sent SMS). Despite those variations, one can easily 
infer the fixed policy for some operator, once for all, by 
inspecting signaling messages e.g., on her own phone. 

We leave as future work the task of doing a compre¬ 
hensive review of existing policies. 

4.2 Examples of Practical Scenarios 

We now illustrate the potential real-life impacts of our 
activity monitoring attack with two practical scenarios. 
Spying on embassy officials or journalists. Assum¬ 
ing an adversary having a fake base station nearby an 
embassy, he not only can learn the officials’ activity 
when they are at the office during working hours, but 
also when they are not, including during evening and 
nights {e.g., at home) or during business trips. There¬ 
fore, such an attacker may learn if targets use different 
SIMs cards for private use (no activity at home). It may 
also infer if some specific time periods {e.g., one evening 
and night) were specifically busy (a lot of calls or SMSs 
were made yielding a big rise of SQN). 

Better ads targeting. Consider for instance a shop 
that is willing to know more about its customers 
{e.g., for improving ads targeting) using fake base 
stations. This kind of scenario has already been re¬ 
ported [24] (using Wi-Fi capabilities of smartphones) 
and exploited [25] in real shops. Our attack causes a 
new threat in that context since it leaks to the shop 
typical customers’ mobile consumption during time pe¬ 
riods between customers’ visit (while they escape the 
attack area). 


4.3 Deriving Location Attacks 

Using variants of our attack, one could mount location 
attacks {i.e., inferring if some targeted UE is in some 
physical area) even if the leak of identity (currently en¬ 
abling IMSI-catchers attacks) and the traceability based 
of failure messages were fixed. 

More precisely, we first assume that the identity re¬ 
quest phase would be well-protected using e.g., encryp¬ 
tion (as done in 5G, phase 1 [2]). Second, we assume 
that the two failure cases (MAC or freshness failure) 
would be merged (AUTS message is also sent out in 
case of MAC failure, the network being able to infer the 
reason of the failure) to address the latter known flaw. 
Under those assumptions, to the best of our knowledge, 
there is no known attack that could break subscribers’ 
privacy. However, either of the two following variants of 
our attack still allows an active adversary to perform 
location attacks 1 . 

First, if an attacker knows a value CON Co of some 
targeted UE o and obtains a value CONG' from some 
unknown UE (this can be easily obtained by replaying 
a genuine challenge), then he can infer if the unknown 
UE is UE o with very high probability by inspecting 
how large is CON Co® CONC, interpreted as an integer. 
Indeed, when both UEs do not match then CONCo ffi 
CONC = {SQN UEo ®AK* 0 )® {SQN" UE? ffi AKf ) (where 
AKf * difj; see Section 3.1) which is a 48-bits random¬ 
looking value. By contrast, when they do match, then 
CONCo ffi CONC = SQN UEq ffi SQN'u Eq which is very 
likely a small value (we never observed more than 10 
bits-values). 

Second, by learning sufficiently many bits of some 
targeted UE, an active attacker will be able to track 
this UE with reasonable probability by keeping track 
of the SQN values he may repeatedly learn (recall that 
SQNs are 48-bits long so they almost injectively identify 
UEs even taking into account the fact that they evolve). 
Obviously, the practicality of such an attack heavily de¬ 
pends on the number of bits one can infer, the frequency 
at which the target visits the attack area and the speed 
at which target’s SQN rises. 

We consider those location attacks as potential 
threats for the upcoming 5G, phase 2 that may address 
previous flaws but not necessarily this new attack. 


1 Note that our activity monitoring attack can also be exploited 
under those circumstances. 
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5 Proof of Concept of the Attack 
and Practical Considerations 

In this section, we show how to conduct our attacks 
in practice on 4G networks using a low-cost and easily 
available setup. We then explain practical aspects which 
make our attack easily feasible ( e.g issues in different 
operator’s network and security configurations). We fi¬ 
nally discuss our PoC and our experimental results. 

Feasibility in 5G. Due to unavailability of 5G devices 
and networks, we only demonstrate our attack in a 4G 
environment. As already mentioned, we know that the 
5G, phase 1 specification already suffers from our at¬ 
tacks. Moreover, we believe that it will be feasible to 
demonstrate our attack against real 5G networks soon 
due to the fast open source developments for 5G [26]. 
For example, 2G has been launched in 1991 but the first 
open source software were only made available in 2010 
(with OpenBTS [27]). In contrast, 4G has been launched 
in 2009 [28] and open source 4G software was already 
supported the same year by OpenAirlnterface [29]. 

5.1 Experimental Setup 

The first experimental setup aims at building a platform 
to collect victim’s authentication challenges. Further, we 
modify and build software tools to make victim’s UE to 
attach to a rogue 4G base station so that one can inject 
legitimate radio layer signaling messages. 

Our hardware setup is depicted in Figure 4 which 
consists of a laptop, a Universal Software Radio Pe¬ 
ripheral (USRP) B210 [20], and a PC/SC [30] capable 
smartcard reader (we used ACS ACR38 [31]) with com¬ 
mercial USIM cards. 

Our complete experimental setup costs about 1140€ 
excluding a laptop price (that could be replaced by a 
cheaper Raspberry pi) - 1120€ for USRP, 20€ for com¬ 
mercial operator’s prepaid USIM cards. 

5.1.1 Attacker’s Setups 

We now explain how hardware and software components 
can be combined into different setups to demonstrate 
our attack. 

Obtaining authentication challenges. We used the 
software srsUE from the srsLTE suite [32] configured 
with the target’s IMSI with the USRP B210 for obtain¬ 



Fig. 4. Our experimental setup, showing a smartcard reader, 

USRP (left), set of commercial USIM cards, and a test phone. 

ing authentication challenges. Essentially, the USRP 
B210 tries to impersonate the target’s USIM. When do¬ 
ing so, each session fails because srsUE does not know 
the target’s secret key K (so it cannot compute the 
appropriate RES ) but, before the failure, we obtain a 
new, genuine authentication challenge that is intended 
for the target’s USIM. We were able to fetch authen¬ 
tication tokens using the USRP at a surprising high 
speed (see discussion later) but, if for some reason, a net¬ 
work recognizes the USRP as a fake smartphone, we can 
still use genuine phones with programmable [33] USIM 
cards (ca. 80€). We describe this alternative setup in 
Appendix D. 

Fetching AUTS messages using rogue base sta¬ 
tion. Utilizing OpenLTE [34] based 4G network run¬ 
ning on an USRP B210, we sniff over-the-air signaling 
messages and masquerade as a real base station. We 
configure a rogue base station to mimic a real operator 
to lure victim’s UE to attach by 4G reselection proce¬ 
dure [9]. The base station is then able to inject messages 
and eavesdrop on replied messages. We use this method 
to fetch AUTS messages that a USIM sends as part of 
the AKA protocol. 

5.1.2 Ethical Considerations 

Our research reveals weaknesses in the AKA proto¬ 
col specification which is implemented in every USIM 
installed in 3G and 4G devices worldwide. We re¬ 
ported our findings to relevant standardization bodies 
3GPP [35] and GSMA, and affected network operators. 
Our results were acknowledged by the involved parties. 

We conducted passive attacks only against test 
USIM cards and smartphones. We operated our rogue 
4G base station inside a Faraday cage [36], to comply 
with legal requirements. 
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5.2 Attack Background 

Before explaining our PoC, we report on our investi¬ 
gation on AKA related security configurations of 4G 
networks which make our attack easier to perform. We 
selected several major European 4G operators includ¬ 
ing three German, three Austrian, two French, and one 
Swiss operators. 

We were successfully able to collect authentica¬ 
tion challenges intended for the targeted USIM at any 
moment for any subscriber in the world. Note that 
to achieve this step, attacker only needs to know the 
IMSI (or any temporary or encrypted identity) of that 
particular victim’s USIM. If the attacker knows the sub¬ 
scriber’s mobile phone number, he can perform HLR 
Lookup attacks [37] to learn victim’s IMSI. Previous 
work [9] also demonstrates how to find IMSI and GUTI 
of the targeted victim by knowing mobile phone number 
or social identities such as email, Facebook and Twit¬ 
ter. Based on the data collected from our experiments, 
we studied the following parameters of the operator’s 
4G networks. We stress that there is no need to learn 
more information ( e.g private key Kimsi ) about the 
targeted USIM). 

We found that most operators allowed to fetch au¬ 
thentication challenges without a rate limit. Using our 
first setup using srsUE, we were able to fetch fresh, 
unused authentication challenges consecutively at the 
speed of 1 per second. Using our second setup involving 
a smartphone, we were able to fetch more than 30 chal¬ 
lenges in less than 10 minutes. We expect a setup based 
on multiple rogue base stations to achieve much better 
performance. 

Background in 5G. Since no 5G deployment has been 
completed yet, we could not conduct a full PoC in 5G. 
We emphasize however that, if no dedicated mitigation 
is implemented, the different steps of our attack could 
be performed in 5G as well. The only major difference 
concerns the way we would fetch authentication chal¬ 
lenges. To do so, we do not have to learn SUPI (the 
subscribers’ identifier in 5G that is supposed to remain 
secret) but only a valid SUCI. Since SUCI is sent in the 
clear by subscribers, the attacker just has to eavesdrop 
on one SUCI and can from then on, fetch as many au¬ 
thentication tokens for that subscriber he wants (using 
SUCI instead of IMSI). The rest of the attack remains 
the same for 5G infrastructure. 


5.3 Proof of Concept 

Upon knowing the victim’s identity and location [9], an 
attacker can perform our subscriber activity monitoring 
attack. This attack requires obtaining a larger number 
of authentication challenges of victim’s USIM. But as 
discussed in Section 5.2, we did not observe any counter¬ 
measure preventing us to fetch a large amount of them. 

Exploiting our attack, the more consecutive chal¬ 
lenges one fetches, the more is the number of bits he can 
infer from the SQN of the victim. Then, using a rogue 
base station, the attacker is then able to inject parts of 
those challenges and store replied AUTS as explained in 
Section 5.2. 

We build a modest setup as a proof of concept of 
our attack. We were able to request 1025 authentication 
challenges and collected 12 AUTS from 24 injections of 
AKA messages. Using our generic SQN inference algo¬ 
rithm, those 12 AUTS messages were enough to infer at 
least 10 bits of SQN (the least significant ones), some¬ 
times more 2 . Obviously, an attacker with greater ca¬ 
pabilities and more elaborate setups (notably multiple 
rogue base stations for fetching challenges; which turns 
out to be the bottleneck) could infer more bits. 

5.4 Attacks Feasibility and Amplifications 

We now describe the feasibility of our subscriber activity 
monitoring attacks against commercially deployed 4G 
devices. Further, we discuss possibilities of extending 
coverage range of the USRP device. 

Impacted devices. The AKA protocol vulnerability 
we found is part of the 3GPP specifications and does 
not rely on implementation issues in 4G/3G devices. In 
fact, the affected AKA protocol is implemented in the 
USIM and not in the baseband OS of devices. Thus, any 
3G/4G device deployed worldwide having active USIM 
card is affected by our attacks. For our investigations, 
we selected prepaid USIM cards of few leading cellu¬ 
lar operators. We collected and stored unused authen¬ 
tication challenges of related USIM cards as described 
before. Then we successfully verified that these USIM 
cards were vulnerable to our attack. As mentioned ear¬ 
lier about feasibility in 5G networks, if no dedicated 
mechanism for mitigating our attack is implemented, 
5G devices will also suffer from our attack. 


2 Our generic algorithm (see Appendix B) can be more efficient. 



New Privacy Threat on 3G, 4G and Upcoming 5G AKA Protocols 


13 


Range of the attack. Previous research suggested 
that the coverage radius of a rogue base station using 
USRP B210 and OpenLTE ranges between 50 and 100 
meters [9], without an external hardware to boost the 
signal. The coverage range of our attacks could be in¬ 
creased to locate and inject radio layer messages to a 
4G device equipped with USIM within a 2 krn 2 area as 
discussed in [9]. 

Detection. We also investigated possible methods for 
the end subscribers to detect our attack. Unfortunately 
our attacks cannot be detected by the mobile OS ( e.g 
Android or iOS). The reason is that the AKA protocol 
is executed in USIM and the baseband chip that com¬ 
municates limited information to the mobile OS. 

6 Security Analysis and Lessons 
Learned 

In this section, we discuss the AKA specification issues 
and their impact on 3G/4G/5G security principles. First 
we describe AKA protocol design choices and discuss the 
trade-off considerations related to security, availability, 
and cost which partly are responsible for our attacks. 
The following analysis is based on the data and practical 
experiments in 3G/4G networks. Finally, we draw con¬ 
clusions and summarize lessons learned that may be rel¬ 
evant for the in-progress standardization of 5G, phase 2. 

Choice of symmetric key encryption. We demon¬ 
strated (Section 5) how a low cost setup allows an at¬ 
tacker to fetch unused challenges (RAND, AUTN) of 
any active 4G subscriber in the world from any net¬ 
work. We now explain the AKA protocol design choice 
of authentication method and trade-offs responsible for 
enabling access to RAND and AUTN). The AKA is a 
challenge-response type of protocol and utilizes a sym¬ 
metric encryption based authentication mechanism. We 
believe that the reason of choosing a symmetric encryp¬ 
tion stems from three trade-offs. 

The first is a trade-off between security and 
cost, i.e., High cost of introducing a Public Key Infras¬ 
tructure into the 3G/4G systems and an asymmetric en¬ 
cryption mechanism in USIM, paves the way for choos¬ 
ing a symmetric encryption based authentication tech¬ 
nique. Due to this high cost, the 3GPP designers were 
limited in previous 3G and 4G networks, however, PKI 
is introduced in 5G, only for protecting identities [2]. 
Note that, authentication in 5G, excluding identifica¬ 
tion, is still based on a symmetric cryptography. 


The second is a trade-off between security and 
network availability - i.e., Use of symmetric key 
avoids a risk of shutting down legitimate subscribers 
during a case of network fail or crash [38]. For example, 
if the SN (in particular MME) software crashes, tempo¬ 
rary identity of a subscriber can not be recognized. In 
such a case, the network needs to request the permanent 
identity from the subscriber. 

The third is a trade-off between privacy and 
network efficiency - The AKA is a one round-trip 
authentication protocol; i.e., only two exchanged mes¬ 
sages are needed to establish mutual authentication, 
after identification. The chosen mechanism to achieve 
mutual authentication with only two exchanged mes¬ 
sages is the synchronized SQN. Allowing the UEs to 
generate a random number could have enabled different 
authentication methods. However in year 2000 (when 
3G AKA was designed), UE’s computational resources 
were limited. With three exchanged messages, the pro¬ 
tocol would not need this synchronized state and this 
additional message exchange could have enhanced pri¬ 
vacy. However, this additional message exchange would 
also negatively impact the network efficiency notably 
because it would always require a message exchange be¬ 
tween the HN and the SN as well [38]. 

The above trade-offs force the network to send 
RAND and AUTN to perform a round of challenge- 
response for the authentication of subscriber’s tempo¬ 
rary or permanent identities. This allows an attacker 
to impersonate subscriber’s identity to fetch unlimited 
RAND and AUTN challenges from any network. One 
reason why an attacker can fetch those challenges of 
any subscriber from any network is the trust between 
the SNs and the HNs. Indeed, in 3G and 4G architec¬ 
tures, the HN and SN trust each other due to roam¬ 
ing agreements. Further, such illegitimate requests are 
difficult to filter out from the legitimate ones due to 
the risk of shutting down real subscribers from access¬ 
ing the network. One potential solution is to rate limit 
(based on time or numbers) authentication requests per 
subscriber, however attacker could learn such kind of 
rate limit by simply testing the network. We found that 
one of the operator is implementing the rate limit of 
3 consecutive failures. Moreover, an attacker could by¬ 
pass this countermeasure by requesting authentications 
challenges from different SNs. 

Replay protection measures. The AKA protocol 
uses SQN as a challenge to prevent replay attacks and 
synchronized state between the UE and the HN. This 
SQN challenge and the synchronization method pre- 
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vent from replay attacks. The UE verifies if a challenge 
(.AUTN ) is fresh or replayed. In case of network failure, 
legitimate authentication challenges may get lost result¬ 
ing to the HN and subscriber being de-synchronized. 
In order to re-synchronize, the protocol uses the AUTS 
message which contains the current SQN UE of USIM 
XORed with the anonymity key ( AK*). However, this 
message SQN UE ffi AK* contained in AUTS lacks ran¬ 
domness due to the fact that the key AK* derives from 
the same RAND value as discussed in Section 3.1. Our 
attack from Section 3.1 indicates a lack of replay pro¬ 
tection for AUTS , like the one existing for AUTN. 

Lessons for 5G. 5G phase 1 security has been released 
by the 3GPP including an enhanced AKA protocol fea¬ 
turing HN’ s public keys to provide subscriber identifiers 
privacy [39]. However, our attacks reveal another threat 
to subscriber’s privacy. In the future, clever and sophis¬ 
ticated attackers may find new ways to use every ob¬ 
tainable information to carry out further AKA protocol 
related attacks in 5G networks. Hence, it is important 
to protect sequence numbers used in authentication 
procedure messages. 

Though first phase of 5G security is completed, we 
suggest that all security protocols in 5G shall go through 
formal verification before releasing phase 2 (some first 
steps have been taken in [40] and in this paper). More 
generally, authors of [41] provide some industrial case 
studies (WiMAX, EAP, and ISO/IEC 9798) and discuss 
how formal methods and associated security tools could 
be integrated into the standardization process. 


for next generation networks since they require addi¬ 
tional modifications in deployed hardware ( e.g USIM). 

7.1 Symmetrically Encrypt SQN UE 

Our simplest fix consists in modifying the concealing 
mechanism: instead of using XOR (having algebraic re¬ 
lations enabling to cancel out AK*), USIM may use 
symmetric encryption. Note that current USIMs and 
the HSS (in particular AuC) are already capable of 
symmetric encryption. The symmetric key to encrypt 
SQN ue could be derived from the key Kimsi and RAND 
in the received authentication challenge. The result¬ 
ing fix is depicted in Figure 5. This can be very eas¬ 
ily adapted to fix the linkability of failure messages 
(see Section 2.3) as well. It suffices to hide the fail¬ 
ure reason inside the ciphertext CONC* as follows: 
CONC* <- enc((Reason_Failure, SQN UE ), CK*). 

User Equipment - UE Serving Network - SN 



Fig. 5. Fix FI: Fix by symmetrically encrypting SQNue 


7 Countermeasures 

As already explained, the main attack vector we exploit 
in our attacks is the use of XOR and the lack of random¬ 
ness in AUTS making the concealing of SQN by AK* 
inefficient. We propose three main countermeasures FI, 
F2, and F3 to solve this problem. We also discuss how 
our fixes also provide an opportunity to fix the known 
linkability attack based on failure messages discussed in 
Section 2.3. We conclude by a formal analysis of our fixes 
using the state-of-the-art Tamarin automated prover. 

Note that, when discussing our countermeasures, we 
also consider practical aspects related to the existing 
and next generation cellular networks. Thus, the follow¬ 
ing fix we propose is easy to deploy in the current cel¬ 
lular system and only requires changes in baseband and 
authentication server software in the HSS. Other two 
fixes F2 and F3 in appendices E.l and E.2 are suitable 


The HN is required to decipher the CONC* in or¬ 
der to learn the reason of the UE’ s authentication fail¬ 
ure. However, this mechanism could add extra process¬ 
ing load on the HN due to the decryption requirement. 
Alternatively such processing load of the HN could be 
offloaded to the SN by transmitting decryption key in 
a set of authentication vectors. Finally, note that this 
solution suffers from a minor flaw: when the attacker 
triggers two times a synchronization failure by inject¬ 
ing the same authentication challenge while SQN UE has 
not changed, then the two replied CONC* will be equal, 
leaking to the attacker the information that SQN UE is 
still the same (we consider such an attack impractical 
though; more details in Appendix E.l). 







New Privacy Threat on 3G, 4G and Upcoming 5G AKA Protocols 


15 


7.2 Formal Verification 

We have presented a new attack breaking confidentiality 
of SQN, its impact on subscribers’ privacy and possible 
fixes to address this issue. A natural goal is then to eval¬ 
uate those fixes. While all our fixes intuitively remove 
the attack vector on which our attack is based, we be¬ 
lieve that an informal argument or even a pen and paper 
proof would not provide enough confidence considering 
the complexity and size of the AKA protocol. We ac¬ 
tually advocate for the use of formal methods providing 
rigorous, mathematical frameworks and techniques to 
analyze security protocols. 

Related Work. Such techniques have already been 
leveraged in the past (notably by 3GPP) to formally 
verify the AKA protocol to some extent ( e.g., formal 
analysis in enhanced BAN Logic and TLA [42], in the 
tool ProVerif [7, 21]). More recently, an in-depth for¬ 
mal analysis of 5G AKA [40] has been conducted using 
the tool Tamarin [16]. However, all those analyses failed 
to capture our attack 3 because those prior modelings 
abstracted the protocol too much. For instance, except 
for [40], they do not model the re-synchronization proce¬ 
dure at all, which is at the core of our attack; while [40] 
focuses on authentication properties and only models a 
specific scenario for privacy in order to capture a loca¬ 
tion privacy attack. 

Challenges. We now focus on formal verification in the 
symbolic model which provides a high-level of automa¬ 
tion. The limitations of prior analyses can be explained 
by the fact that the AKA protocol and its features cause 
several difficulties to the state-of-the-art tools and meth¬ 
ods (such as ProVerif [43] and Tamarin [16]): (i) the 
modeling of the © operator that most tools cannot han¬ 
dle at all, (ii) the presence of a (non-monotonous state) 
state (i.e., SQN whose value must be stored from one 
session to the other), and (iii) basic arithmetic (i.e., 
SQN is basically an integer and integer additions and 
comparisons are carried out by the USIM). Each one of 
those features constitutes a major challenge to existing 
techniques. Finally, location privacy or untraceability, 
as defined e.g., in [44], is not a reachability property 
but an observational equivalence-based property that is 
notoriously more difficult to verify (see the survey [45]). 
For an unbounded number of sessions, the only tools 
that can verify some sort of observational equivalence 


3 While they did not focus on the confidentiality of SQN, they 
still could have captured the traceability variants explained in 
Section 4.3. 


are ProVerif and Tamarin. The approximations those 
tools adopt (due to the fact that the underlying problem 
is undecidable) make the verification less precise and of¬ 
ten lead to false attacks when verifying untraceability; 
despite recent research efforts [46, 47]. 

Our Formal Analysis. We took a first step towards a 
precise formal analysis of privacy for the AKA protocol 
in the symbolic model. We leveraged the state-of-the- 
art tool Tamarin [16] and built upon [40] in order to 
provide a symbolic model of the AKA protocol that is 
precise enough to capture our attack. Our models are 
available at [48]. We took the re-synchronization proce¬ 
dure into account and used the new feature [49] to pre¬ 
cisely model the © operator. Note also that Tamarin is 
capable of modeling stateful protocols, so we were able 
to precisely model SQN. We modeled the AKA proto¬ 
col without the fix as well as with the three fixes. We 
were not able to faithfully analyze the confidentiality 
of the SQN value as this would require to model alge¬ 
braic relations of © on integers; this is one of the reason 
explaining that [40] missed our attack. 

However, for two sessions, we were able to ana¬ 
lyze the confidentiality of d'o = SQN © ( SQN+ 1) which 
is one of the values needed to bootstrap our attack. 
In our model, the confidentiality of <5o was automat¬ 
ically proven for all our fixes and our attack break¬ 
ing this property was automatically found without our 
fix. We consider this analysis as a first step towards a 
more precise model amenable to automatic verification 
of privacy-related properties which has proven itself ex¬ 
tremely complex to produce. We leave that task as fu¬ 
ture work. 

In summary, the state of the art of mechanized for¬ 
mal verification does not provide off-the-shelf technique 
to verify privacy-related properties on the AKA pro¬ 
tocol with sufficient precision. Considering the impor¬ 
tance and ubiquity of the AKA protocol, we think that 
formally verifying it and solve the aforementioned chal¬ 
lenges in order to provide a precise symbolic model of 
the AKA protocol and its variants is a substantial but 
major goal. 


8 Conclusion 

We disclose a subtle vulnerability in the AKA protocol 
affecting the 3G, 4G, and upcoming 5G technologies. We 
demonstrate how this vulnerability can be exploited to 
mount activity monitoring attacks, allowing the attack¬ 
ers to learn a new type of privacy-sensitive information 
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about the subscribers; i.e., consumption patterns. As 
a proof-of-concept, we show how an active attacker 
equipped with a low cost and widely available setup 
can perform our attack in several European 4G net¬ 
works, learning SQN with granularity 2 10 . We leave a 
comprehensive evaluation of the privacy impact of our 
attack as future work. We then analyze root causes 
of the vulnerability and their impact on 3G/4G/5G 
security principles to derive lessons for future 3GPP 
standardization; notably 5G, phase 2. Finally, we pro¬ 
vide countermeasures and formal guarantees that also 
motivate further research into improving and formally 
analyzing the AKA protocol. 
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A Notatations & Acronyms 

We show in Table 1 an informal correspondence be¬ 
tween our informal security artchitecture terminology 
and proper terninologies in 3G, 4G, and 5G networks. 

B Generic SON Inference 
Algorithm 

This Section is dedicatd to the description of our generic 
SQN inference algorithm parametrized by the incre¬ 
ment 7 that is used for updating SQN hn after each 
successful AKA session. In a nuthsell, it is an extension 
of the algorithm described in Section 3.2.2 that works 
even when 7 > 1. In particular, it is based on the same 
idea that consists in learning whether a remainder prop¬ 
agated or not at specific position. 

Informal description of the algorithm. We now 

give an informal presentation of this algorithm. While 
we have not reached a fixed points, we do the following. 
- For all Si from the sequence of {Sj}j given as input 
(let us call i its position in the sequence), we do the 
following. 

- For all bit position p from 0 (least significant 
bit position) to 47 (the most significant bit po¬ 
sition), we do the following. 

* We compute T = 7 * 2 * that corresponds to 
the value that has been added to SQN° UE 
resulting to the sequence number in AUTS 1 
where Si = AUTSq ffi AUTS 1 . Using all al¬ 
ready inferred bits of SQN° UE at positions 
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Our acronym 

In 3G 

In 4G 

In 5G 

Description (if needed) 

IMSI 

UE/Subscriber 

SN 

HN 

IMSI 

MS 

VLR+SGSN+... 

HE+HLR+... 

IMSI 

UE 

eNodeB+MME+... 

HSS+HLR+AuC+... 

SUPI 

UE 

SEAF+AMF+gNB+... 

AUSF+ARPF+UDM+SIDF+... 

International Mobile Subscriber Identity 
User Equipment (contains a USIM) 
Serving Network 

Home Network 


Table 1. Informal correspondence between terminologies 


from 0 to p - 1, we infer if T + SQN° UE yields 
a remainder that propagates from bit posi¬ 
tion p to p + 1. If the latter could not be 
inferred, continue to the next iteration. If 
the latter could be inferred we let T 7 [p + 1 ] 
and r A [p] be the bits positions of F plus the 
(possible) remainder. 

Now, using those information and the Table 6 , we may 
be able to infer the bit of SQN° UE at position p. The 
symbol f means that the given Si is incoherent with 
previously analysed Sj. This may happens if some Si 
were not fetched correctly for instance. 


Increment 

Bits 5i[p+ 1], <5i[p] 

T'[p+ 1 ], r'[ P ] 

0, 0 0, 1 1,0 1,1 

0, 1 

tot 1 

1, 1 

tit 0 


Impossible to infer, just continue 


Fig. 6. G iven the bits of the increment T at position p + 1 and 
p, and the bits of 5; at position p and p + 1, this table gives the 
inferred bit of SQN° UE at position p. f indicates an inconsistency. 

When a fixed point has been reached (i.e., the two 
loops have been completed without being able to infer 
more bits of SQN° UE ), stop and return the inferred bits. 

Discussion. Note that for increment value we some¬ 
times observed ( e.g., 7 = 33), this algorithm allows to 
infer more bits than the algorithm described in Sec¬ 
tion 3.2.2 (i.e., twice when n = 6). Indeed, the binary 
representation of 33 is 100001 and thus, each time we 
analyse a certain Si with its corresponding increment 
r = 7 * 2\ we are able to exploit the bit position i (be¬ 
cause of the addition of I 2 * 2 *) and the bit position i + 6 
(because of the addition of IOOOOO 2 * 2*). 

Finally, note that this algorithm can be made even 
more generic by dealing with AUTS fetched in different 
ways (e.g., yielding from the injection of consecutive 
challenges instead of power of 2 ): it suffices to adapt 
the way we compute T. 


C Other Variants of SQN Policies 

According to non-normative specifications (Sections C.2 
and C.3 from TS 33.102 [ 6 ]), SQN and its update policy 
can take different forms. We briefly explain how our 
attack can be easily adapted for those variants. 

SQN can be made of two components SQN = 
SEQ\\IND where SEQ is a 43 bits long integer that 
counts all past AKA sessions and IND is a 5 bits long 
index. Essentially, IND indicates the SN for which SEQ 
should be used and the USIM stores possibly other SEQ 
corresponding to other SNs (this is called array mecha¬ 
nism in the specification [ 6 ]). When such a policy is in 
use, one can use a slightly different variant of our at¬ 
tack: (i) injections of authentication challenges should 
be done while using the same SN identifier towards the 
UE and the same SN while fetching authentication to¬ 
kens, and, (ii) the algorithm used to infer bits should 
drop the first 5 bits of SQN. This allows the attacker 
to break the counter part of SQN, namely SEQ; lead¬ 
ing to the same privacy attacks explained in Section 4. 
Indeed, SEQ is not useful for the practical attacks we de¬ 
scribe in Section 4, only the integer counting the number 
of successful AKA sessions is relevant; here SEQ. Note 
however that it seems that IND is actually highly pre¬ 
dictable. For example, two SQN in two AUTN vectors 
that were requested by the SN are expected to use the 
same IND value. 

Note that there are other policies, for example SQN 
can also be time-based. For such policies for which SQN 
does not contain ant information about the number of 
successful AKA session made by the UE, our attack 
no longer works. However, we have not observed any 
operator using such policies. 
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D Attacker’s Setup: Using 
Reprogrammable USIM 

In addition to the setup described in Section 5.1.1, we 
have shown that one case use genuine smartphones with 
reprogrammable USIM for fetching a large number of 
authentication tokens intended for the target’s USIM. 

We used a tool pySIM [50] to program USIM cards 
using an external smartcard reader. While program¬ 
ming commercial USIM cards is not possible, Sys- 
rnoUSIM [33] cards can be reprogrammed to store any 
given IMSI. 

We inserted the programmed USIM in a smartphone 
to read all the traffic ( i.e signaling messages) as ex¬ 
plained next. Having access to signaling messages, we 
stored the received authentication challenges ( AUTN 
and RAND) sent by the networks intended for the tar¬ 
geted USIM. We used the SCat tool [51] to gain access to 
signaling messages We selected Android based Huawei 
and Asus smartphone models due to the availability of 
direct access to baseband using AT commands [52] to 
store signaling messages automatically. 

E Countermeasures 

E.l Correctly Randomise AUTS (F2) 

One way to fix the attack vector we have discovered 
consists in using a fresh random generated by UE to 
conceal SQN UE instead of reusing the one contained in 
the received authentication challenge (generated by the 
HN). This random has to be sent in the clear along 
with AUTS in order to let the HN computes AK* and 
recovers SQN UE . We depict this solution in Figure 7. 
Note that the value MAC* must use RAND instead of 
RAND* so that it really plays the role of a response to 
the fresh challenge corresponding the received authen¬ 
tication challenge. Otherwise, a rogue UE could imper¬ 
sonate a UE by replying one of its old AUTS vector 
forcing the HN to synchronise SQN to an older value. 

With this fix, replaying two times the same authen¬ 
tication challenge leads to two AUTS vectors whose con¬ 
cealed values are c\ = (SQN [/s )t 1 ©f5* (RAND\, Kimsi) 
and C 2 = ( SQN UE )t 2 © f5* (RAND^, Kimsi)- More im¬ 
portantly, when xoring ci and C 2 , the two AK* values 
do not cancel out breaking the relations exploited by 
our attacks. Note that this fix can be implemented in 


UE SN 



Fig. 7. Fix F2: correctly randomizing AUTS 

combination with the fix for the linkability of failure 
messages described in Section 7.1. 

However, this solution still suffers from the follow¬ 
ing minor flaw. When replaying two times the same au¬ 
thentication challenge, even though the two concealed 
values in the two replies are different as argued above, 
the two MAC* from the two replies may be equal (i.e., 
when SQN ue has not been modified between the two 
replays). 

The attacker may exploit such equality to link a 
subscriber although we believe that the underlying at¬ 
tack is much less severe than our attacks. In order to 
solve this issue, one may mix RAND and RAND* in the 
replied MAC* message as follows: 

MAC* •*- fl((SQN UE , RAND , RAND*), K IMSI ). 

E.2 Asymmetrically Encrypt SQNue (F3) 

Although the use of asymmetric encryption methods 
was considered too costly and impractical during the 
4G system design, it is now known that 5G will rely on 
it. A fix based on asymmetric encryption, similar to the 
one presented in [7], is depicted in Figure 8. Similarly to 
the fix FI, it can be adapted to hide the reason of the 
failure and can be improved using a random generated 
by the UE. 
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UE SN + HN 



Fig. 8. F ix F3: asymmetrically encrypting SQN/je 







